search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Linux kernel Bluetooth support fails to properly bounds check "protocol" variable

Vulnerability Note VU#685461

Original Release Date: 2005-04-05 | Last Revised: 2005-12-22

Overview

Linux kernels with Bluetooth support do not adequately validate the "protocol" value, allowing a local user to execute arbitrary code with elevated privileges.

Description

Linux kernels with Bluetooth support may contain a local root vulnerability, even if Bluetooth hardware is not present. A call to socket() may bypass a bounds check on the protocol value. This value is used at a later point as an index to a function pointer, making it possible for an attacker to execute arbitrary code from memory regions controlled by the attacker.

The flawed Bluetooth kernel modules are present by default on some Linux distributions and are frequently loadable by unprivileged users.

Impact

An unprivileged, local, authenticated user may be able to gain elevated privileges, even on systems without Bluetooth drivers previously loaded or on systems without Bluetooth hardware installed.

Solution

Apply An Update
This issue is addressed in Linux kernels 2.4.30-rc2 and 2.6.11.6.


Disable Bluetooth Support

As a workaround, administrators may remove the bluetooth kernel module(s) from their system.

Install Kernel Modules

Suresec Ltd. has also created loadable kernel modules which check protocol and domain values for validity before being used in the flawed Bluetooth code. More information is available in Suresec security advisory 1.

Vendor Information

685461
 
Expand all

Linux Kernel Archives Affected

Updated:  April 05, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in Linux kernels 2.4.30-rc2 and 2.6.11.6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc. Affected

Notified:  April 05, 2005 Updated: December 22, 2005

Status

Affected

Vendor Statement

This issue could affect Red Hat Enterprise Linux 2.1, 3, and 4 users where the
bluetooth modules are loaded.  Updated kernel packages are available at the URL
below and by using the Red Hat Network 'up2date' tool.

http://rhn.redhat.com/errata/CAN-2005-0750.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian Linux Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM zSeries Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks, Inc. Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc. Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc. Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

SUSE/Novell has released fixed packages to fix this problem, documented in this security advisory:

http://www.novell.com/linux/security/advisories/2005_21_kernel.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Computer Systems, Inc. Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc. Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux) Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux Unknown

Notified:  April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 19 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Suresec Ltd for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs: CVE-2005-0750
Severity Metric: 8.78
Date Public: 2005-03-27
Date First Published: 2005-04-05
Date Last Updated: 2005-12-22 19:16 UTC
Document Revision: 25

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis